Sentinel research head Udi Shamir reported on Thursday that the ‘Gyges' malware, which he believes was developed by the Russian intelligence service, has recently been bolted-on to ransomware and online banking Trojans, making them much more difficult to detect.
Sentinel warns that because Gyges has sophisticated ‘government-grade' anti-tampering and anti- detection techniques “it is virtually invisible and capable of operating undetected for long periods of time”.
The blog says: “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being re-purposed, modularised and coupled with other malware to commit cyber-crime.”
Gyges targets Microsoft Windows 7 and 8 operating systems and is designed for both the x86 and x64 CPU architectures. Sentinel has tracked it being used for ‘government' purposes such as network eavesdropping, key logging, stealing user-identities, screen capturing and IP theft; and for criminal purposes such as ransomware, banking fraud, installing rootkits and Trojans, and creating botnets and zombie networks.
The company first saw the malware in March and was intrigued by its “sophisticated” masking techniques – which led them to discover its nation-state origins. Shamir wrote: “Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8. It also combines highly advanced anti-debugging and anti-reverse-engineering.
“The malicious code used for all of these evasion techniques is significantly more sophisticated than the core executable. That led us to believe that it was previously used as a ‘bus' or ‘carrier' for much more sophisticated attacks such as government data exfiltration. We eventually recovered government traces inside the carrier code.”
Sentinel has named it after the ring of Gyges in Greek mythology, which makes its owner invisible. Shamir said: “It uses less well-known injection techniques and waits for user inactivity (as opposed to the more common technique of waiting for user activity). This method is clearly designed to bypass sandbox-based security products which emulate user activity to trigger malware execution.”
The blog adds: “The malware is packed with heavily modified Yoda protector, which provides polymorphic encryption and anti-debugging.”